Systems and methods for monitoring and securing networks using a shared buffer

ABSTRACT

Disclosed are systems and methods for securing a network including one or more network nodes connecting a plurality of network connected devices of the network. A method may include: receiving and temporarily storing a plurality of data packets in a shared buffer of a network node; receiving requests from a first processing engine and a second processing engine to access a temporarily stored data packet; generating a first pointer and a second pointer to the temporarily stored data packet, the second pointer being different from the first pointer while pointing to the same temporarily stored data packet; and enabling the first processing engine to use the generated first pointer to access the temporarily stored data packet and the second processing engine to use the generated second pointer to access the temporarily stored data packet.

TECHNICAL FIELD

The present disclosure relates to systems and methods of monitoring andsecuring a network and, more particularly, to systems and methods ofusing a shared buffer and pointers for analyzing network traffic.

BACKGROUND

Analysis of network traffic often involves multiple tools to observe thesame data packet and/or session and using such tools to correlatecontext across multiple data sources. Conventional methods and systemsfor network traffic analysis achieve this by copying network trafficacross multiple tools which considerably reduces performance. Forexample, a network packet may be copied across multiple buffers to allowdifferent tools and/or processes to access the same network packet atthe same time. Accordingly, such methods and systems for network trafficanalysis are not effective or operable in higher scale networkenvironments.

Therefore, there is a need for systems and methods monitoring andsecuring a network that achieve higher performance and efficiency innetwork traffic analysis.

SUMMARY OF THE DISCLOSURE

Embodiments of the present disclosure include systems and methods formonitoring and securing a network.

According to certain embodiments, a computer-implemented method forsecuring a network comprising one or more network nodes connecting aplurality of network connected devices of the network is disclosed. Thecomputer-implemented method may include: receiving a plurality of datapackets at a network node of the network; temporarily storing thereceived data packets in a shared buffer of the network node; receivinga first request transmitted by a first processing engine to access afirst temporarily stored data packet; establishing a connection with thefirst processing engine; generating a first pointer to the firsttemporarily stored data packet; enabling the first processing engine touse the generated first pointer to access the first temporarily storeddata packet; receiving a second request transmitted by a secondprocessing engine to access the first temporarily stored data packet;establishing a connection with the second processing engine; generatinga second pointer to the first temporarily stored data packet, the secondpointer being different from the first pointer while pointing to thesame first temporarily stored data packet; and enabling the secondprocessing engine to use the generated second pointer to access thefirst temporarily stored data packet.

In accordance with another embodiment, a network node of a networkincluding one or more network nodes connecting a plurality of networkconnected devices of the network is disclosed. The network node mayinclude: a data storage device storing processor-readable instructions;and a processor configured to execute the instructions to perform amethod. The method may include: receiving a plurality of data packets ata network node of the network; temporarily storing the received datapackets in a shared buffer of the network node; receiving a firstrequest transmitted by a first processing engine to access a firsttemporarily stored data packet; establishing a connection with the firstprocessing engine; generating a first pointer to the first temporarilystored data packet; enabling the first processing engine to use thegenerated first pointer to access the first temporarily stored datapacket; receiving a second request transmitted by a second processingengine to access the first temporarily stored data packet; establishinga connection with the second processing engine; generating a secondpointer to the first temporarily stored data packet, the second pointerbeing different from the first pointer while pointing to the same firsttemporarily stored data packet; and enabling the second processingengine to use the generated second pointer to access the firsttemporarily stored data packet.

In accordance with another embodiment, a network node of a networkincluding one or more network nodes connecting a plurality of networkconnected devices of the network is disclosed. The network node mayinclude non-transitory computer-readable medium containing instructionsthat, when executed by a processor, cause the processor to perform amethod. The method may include: receiving a plurality of data packets ata network node of the network; temporarily storing the received datapackets in a shared buffer of the network node; receiving a firstrequest transmitted by a first processing engine to access a firsttemporarily stored data packet; establishing a connection with the firstprocessing engine; generating a first pointer to the first temporarilystored data packet; enabling the first processing engine to use thegenerated first pointer to access the first temporarily stored datapacket; receiving a second request transmitted by a second processingengine to access the first temporarily stored data packet; establishinga connection with the second processing engine; generating a secondpointer to the first temporarily stored data packet, the second pointerbeing different from the first pointer while pointing to the same firsttemporarily stored data packet; and enabling the second processingengine to use the generated second pointer to access the firsttemporarily stored data packet.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute apart of this specification, illustrate various exemplary embodiments andtogether with the description, serve to explain the principles of thedisclosed embodiments.

FIG. 1 depicts a schematic diagram illustrating an example of a computernetwork and environment within which the computer systems and methodsdisclosed herein are implemented according to some embodiments of thepresent disclosure.

FIG. 2 depicts a schematic diagram illustrating an example of a computernetwork and environment within which the computer systems and methodsdisclosed herein are implemented according to some embodiments of thepresent disclosure.

FIG. 3 depicts an exemplary network node according to embodiments of thepresent disclosure.

FIG. 4 depicts an exemplary network node according to embodiments of thepresent disclosure.

FIG. 5 depicts an exemplary method for securing a network comprising oneor more network nodes connected a plurality of network connected devicesof the network, according to exemplary embodiments of the presentdisclosure.

DETAILED DESCRIPTION OF EMBODIMENTS

Reference will now be made in detail to the exemplary embodiments of thedisclosure, examples of which are illustrated in the accompanyingdrawings. Wherever possible, the same reference numbers will be usedthroughout the drawings to refer to the same or like parts.

The present disclosure is directed to systems and methods for softwaredefined packet coordination. In the context of the current disclosure,“software defined packet coordination” refers to any desired techniquesfor monitoring packets of a network, e.g., analyzing individual packetswithin network traffic to detect security threats, in accordance to theembodiments disclosed herein. In particular, the present disclosure isdirected to the use of a circular buffer to temporarily store packetspassing through the network to allow multiple parallel securityprocesses to access and analyze the same packet, without copying,duplicating, or backing up copies of the packet. For example, a packettemporarily stored in the circular buffer may be accessible via one ormore pointers, and each security process may be assigned a separatepointer to access and analyze the same temporarily stored packet withoutthe need to copy the packet for each security process.

In some embodiments, systems for software defined coordination mayinclude the following components as will be described in further detailbelow: one or more shared buffers configured to store incoming networkpackets, software pipes created on top of the shared buffers that mayallow the buffer to be accessed as shared memory across multipleprocesses, multiple pointers that may allow each process to access thebuffers, and a controller (also referred to as a packet coordinator)configured to coordinate the aforementioned components.

In some embodiments, the packet coordinator may be configured tocoordinate the one or more buffers, the software pipes, and the multiplepointers such that multiple separate processes may access the same datapacket without the need to copy the data packet for each process. Insome embodiments, the one or more shared buffers may be configured tostore incoming data packets such that the packet coordinator maycoordinate access to the stored data packets. In some embodiments, theone or more shared buffers may be shared circular packet buffers. Insome embodiments, the packet coordinator may be configured to establishone or more software pipes such that a process may utilize a softwarepipe to access a pointer which may point to a packet in a shared buffer.In the context of the current disclosure, a software pipe may bereferred to as a temporary software connection, for example, a temporaryconnection between a process and a shared buffer. Each stored packet inthe one or more shared buffers may become accessible via a sharedpointer. In the context of the current disclosure, shared pointers mayrefer to more than two pointers pointing to a same stored data packet.For example, a first process may be assigned a first pointer, e.g., bythe packet coordinator, that points to a stored data packet and a secondprocess may be assigned a second pointer, e.g., by the packetcoordinator, that also points to the same stored data packet.Accordingly, the first and second pointers each “share” the same storeddata packet. Hence, both the first and second pointers may be referredto as first and second shared pointers, respectively.

As will be described in further detail below, software defined packetcoordination may allow multiple processes to access the same data packetand simultaneously analyze the same data packet, e.g., perform asecurity analysis of the same data packet, without contention.

Some advantages provided by the embodiments disclosed herein mayinclude: (1) elimination of the need to generate a copy of a datapacket, thereby avoiding unnecessary memory usage and the enhancingperformance; (2) coordination of access by multiple processes to thesame packet to prevent concurrency; and (3) allowing of any process totake or initiate action over a stored packet and/or session withoutcausing disruption and invalid pointers to other processes stillanalyzing the same packet and/or session.

Turning now to the figures, FIG. 1 shows a block diagram of a computernetwork and environment (hereinafter referred to as system 100) forimplementing embodiments of the present disclosure, or aspects thereof.System 100 may include one or more network nodes 102A-102D, one or moreendpoints 104A-104D, one or more agent nodes 106A-106B, and one or morecontrollers 108. As shown in FIG. 1 , one or more switches, firewallmodules, routers, and/or router-switch processors may interconnect theaforementioned network nodes 102A-102D, endpoints 104A-104D, agent nodes106A-106B, and/or controllers 108. The network nodes 102A-102D,endpoints 104A-104D, agent nodes 106A-106B, and/or controllers 108 maybe connected to the internet 110 through the one or more switches,firewall modules, routers, and/or router-switch processors. It isunderstood that the system 100 may include less than or more than thenumber of network nodes, endpoints, agent nodes, and/or controllersdepicted in the FIG. 1 in other embodiments.

The one or more network nodes 102A-102D may form a distributed controlplane. The controller 108 may be configured to manage the distributedcontrol plane. In some embodiments, the controller 108 may manage thedistributed control plane by alerting, automating, and/or implementingworkflow integrations for the network nodes 102A-102D. Accordingly, thecontroller 108 may be referred to as a policy decision point for thesystem 100. For example, policies such as automation and/or workflowintegrations for the one or more network nodes 102A-102D may bedetermined by the controller 108. In some embodiments, any combinationof the one or more network nodes 102A-102D may comprise the controller108.

The one or more network nodes 102A-102D may be configured to providevisibility to a network associated with each respective network node102A-102D and enforce predetermined policies, e.g., automation and/orworkflow integrations. For example, network nodes 102A-102D may provideconnection reports, e.g., to the controller 108, to provide suchvisibility. In some embodiments, the controller 108 may update policiesfor the one or more network nodes 102A-102D based on such reports.

In some embodiments, a network node 102A may provide access to aperimeter network including DMZ services, such as, web servers, mailservers, FTP servers, VoIP servers, and the like. In the context of thecurrent disclosure, DMZ services (demilitarized zone services) may referto a perimeter network that may be a physical or logical subnetwork thatcontains and exposes an organization's external-facing services to anuntrusted network such as the Internet. In such embodiments, networknode 102A may provide visibility to the perimeter network and enforcepredetermined polices for the perimeter network. In some embodiments, anetwork node 102B, 102D may provide access to an internal network LocalArea Network (LAN), such as a database workgroup, user workgroup, port,VLAN, application, network services, and the like. In such embodiments,network node 102B, 102D may provide visibility to the internal LAN andenforce predetermined policies for the internal network LAN. Forexample, network node 102B, 102D may transmit information includingprocesses, users, and/or files associated with each respective network.In some embodiments, a network node 102C may be associated with (e.g.,provide access to) cloud networks such as an object storage service(e.g., S3 bucket). In such embodiments, network node 102C may providevisibility to the cloud network and enforce predetermined policies forthe cloud network.

In some embodiments, a network node 102D may communicate with one ormore agent nodes 106A-106B associated with one or more endpoints104C-104D. The one or more endpoints 104C-104D may include one or morenetwork connected devices according to some embodiments. In the contextof the current disclosure, a network connected device may refer to anyphysical device connected to a network whether local or remote, as wellas any virtual devices and/or virtual services (e.g., micro-services)running on such devices included in the network or remote from thenetwork. For example, a network connected device may include anycomputing device, e.g., server, a mobile device, a desktop computer, apayment terminal with a computer chip, etc. or any other device orservice in communication with the network. The network node 102D mayobtain information regarding the one or more endpoints 104C-104D via theone or more agent nodes 106A-106B, as will be described in furtherdetail below.

Agent nodes 106A-106B may provide visibility regarding each associatedendpoint 104C-104D and may also enforce predetermined policies for theendpoints 104C-104D. In some embodiments, an agent node 106A-106B maycomprise a browser plugin, a process memory-dumper, plugin framework,etc. For example, a browser plugin may be configured to detect maliciousURLs inside encrypted connections. As another example, a processmemory-dumper may be configured to inspect and capture in-memory andrunning processes. The process memory-dumper may be further configuredto automate connection to a controller 108 for disassembly and forensicanalysis. As yet another example, plugin framework may provideextensions for additional host-based detection, deception and mitigationcapabilities via SQL query (e.g., OSQuery).

Agent nodes 106A-106B may be configured to query any software, e.g.,installed on an endpoint 104C-104D, without requiring the software to berunning. In some embodiments, agent nodes 106A-106B may detectvulnerable software across an organization, e.g., system 100, therebyproviding useful information for asset inventory and compliance. Forexample, the agent nodes 106A-106B may query for and determinevulnerable versions of a web browser. In some embodiments, agent nodes106A-106B may be configured to query any active processes and relatedconnections. For example, the agent nodes 106A-106B may query for aspecific open port. As another example, the agent nodes 106A-106B mayquery for any open remote ports. The agent nodes 106A-106B may beconfigured to query active users and associated processes andconnections. For example, the agent nodes 106A-106B may query userexecuted specific process and retrieve the process path. As anotherexample, the agent nodes 106A-106B may query file-less processes withremote connections. In some embodiments, the agent nodes 106A-106B mayperform queries on any connected devices.

FIG. 2 shows a block diagram of a computer network and environment(hereinafter referred to as system 200) for implementing embodiments ofthe present disclosure, or aspects thereof. As shown in FIG. 2 , thesystem 200 may comprise a management plane 210 including a controller208, a first zone proxy 212A, a second zone proxy 212B, securityinformation and event management system (SIEM) 214, security operationsworkflow management system 215, intelligence scoring system 216, andopenflow controller 218. SIEM 214 may be configured to aggregate and/orview security logs and alerts. Security operations workflow managementsystem 215 may be configured to coordinate threat mitigation based oncertain triggers, e.g., such as certain detected threats, and invokechanges in the system 200 to mitigate the threat and/or reflect thecoordinated threat mitigation. Intelligence scoring system 216 may beconfigured to aggregate information associated with identified and/orpotential threats, e.g., information provided by external systems and/orinformation based on threats detected and mitigated by the system 200,and determine scores for threats relevant to system 200. In someembodiments, an openflow controller 218 may be configured to use theOpenFlow protocol to connect and configured network devices, e.g., oneor more switches, firewall modules, routers, and/or router-switchprocessors as depicted in FIG. 1 , to determine optimal paths fornetwork traffic. It is understood that the openflow controller 218 maybe any appropriate software-defined network (SDN) controller in someembodiments. System 200 may further comprise one or more data planezones 220A-220B. As shown in FIG. 2 , each data plane zone 220A-220B mayinclude a network node 202A-202B, an endpoint 204A-204B, an agent node206A-206B, and an agent controller 214A-214B. An agent controller214A-214B may be configured to communicate with a zone proxy 212A-212Band manage one or more associated agent node 206A-206B, as will bedescribed in further detail below.

The controller 108 may manage each data plane zone 220A-220B via adedicated proxy 212A-212B as shown in FIG. 2 . It is understood thatthere may be less than or more than two data plane zones in otherembodiments. Cross domain communications, e.g., communications betweenthe management plane 210 and the data plane zones 220A-220B, may beperformed via the proxy 212A-212B and each dedicated data plane zone220A-220B, e.g., network node 202A-202B and/or agent controller214A-214B. Accordingly, zone-specific actions may be defined by themanagement plane 210 and dynamically managed throughout the system 200.

In some embodiments, management plane 210 communications may includepolicy, intelligence, distribution, and/or monitoring and/or statistics.For example, the controller 208 may transmit information includinglogging, events, and/or alerts to the SIEM 214. As another example, thecontroller 208 may perform workflow orchestration based on the securityoperations workflow system 215. As another example, the controller 208may obtain threat scores from the intelligence scoring system 216. Asyet another example, the controller 208 may communicate with theopenflow controller 218 to determine optimal paths for network traffic.In some embodiments, management plane 210 communications may beencrypted.

In some embodiments, data plane communications may include communicationbetween the agent controller 214A-214B and the agent node 206A-206B. Anagent controller 214A may be configured to manage one or more agentnodes 206A within data plane zone 220A. The agent controller 214A may beconfigured to provide configuration management to agent node 206A andtransmit image distribution and log aggregation information from theagent node 206 to the management plane 210 via zone proxy 212A. It isunderstood that data plane zone 220A may include two or more agent nodeseach associated with a separate endpoint in other embodiments. In suchembodiments, the agent controller 214A may be configured to manage thetwo or more agent nodes in data plane zone 220A.

FIG. 3 depicts a network node 300, according to some embodiments. Thenetwork node 300 may include a packet processing engine 310 and aprocessing analysis engine 320, according to some embodiments. Whileonly one processing analysis engine 320 is depicted in FIG. 3 , it isunderstood that the network node 300 may include two or more processinganalysis engines in other embodiments.

In some embodiments, the packet processing engine 310 may be deployedinline to a network. The packet processing engine 310 may receiveingress data packets, e.g., IPv4 and/or IPv6 data packets. In someembodiments, the packet processing engine 310 may include a trafficmerge component 312 in which the received data packets may betemporarily stored. The packet processing engine 310 may forward eachreceived data packet to the processing analysis engine 320. The packetprocessing engine 310 may include a traffic replica component 314configured to generate a replica of each temporarily stored data packet.In some embodiments, the traffic replica component 314 may be configuredto generate a pointer for each temporarily stored data packet. In suchembodiments, the traffic replica component 314 may share the generatedpointers with the processing analysis engine 320, thereby enabling theprocessing analysis engine 320 to use the generated pointers to accessthe stored data packets. Some embodiments of the traffic merge component312 and the traffic replica component 314, e.g., shared buffer 402 andpacket coordinator 404, respectively, are depicted in and describedbelow with reference to FIG. 4 .

The packet processing engine 310 may further include a traffic basicfilter component 315 configured to check if one or more attributesassociated with the temporarily stored data packets match predeterminedattributes. For example, the predetermined attributes may include asource, destination IP, port, protocol, etc. In some embodiments, thepredetermined attributes may be associated with data packets, sessions,and/or data flow that may be malicious, e.g., C2 and/or exfiltrationmalware. If attributes associated with one or more data packets do notmatch predetermined attributes, the one or more data packets may beforwarded to the intended destination via a switching component 318.

If attributes associated with the temporarily stored one or more datapackets matches the predetermined attributes, an Packet Processing Unit(PPU) engine component 316 may be configured to perform a dynamic actionon the one or more data packets, a session associated with the one ormore data packets, and/or a data flow associated with the one or moredata packets. In some embodiments, the PPU engine component 316 maycomprise a micro-program that includes an activation rule andmicro-compiled code that is executed if the activation rule matches. Insome embodiments, the micro-compiled code may be executed to respond to,copy, drop, route, and/or modify the one or more data packets. In someembodiments, the PPU engine component 316 may further include state andmemory useful for subsequent re-execution of the micro-program. Themicro-program may further include executing a program, one or more datapackets, a session, and/or a data flow based on the one or more datapackets. The micro-program may comprise of both states and instructions.In some embodiments, the one or more data packets may be transparentlyrouted to a deception server. In the context of the current disclosure,a deception server may be referred to a server that acts like alegitimate server for the purpose of gathering information about amalicious actor and/or entity (also referred to collectively as“adversary”) including what the adversary is trying to exploit and wherethe adversary is trying to gather information from. For example, thedeception server may be utilized to detect SQL injection attempts. Insome embodiments, the one or more data packets may reflect un-allowedtraffic to bad domains. In such embodiments, the one or more datapackets may be detected and redirected without detection by anadversary. In some embodiments, the one or more data packets may reflectencrypted malware. In such embodiments, the threat may be mitigated bydropping the one or more data packets.

The packet processing engine 310 may communicate such performed dynamicactions to the controller 308 and/or one or more network nodes330A-330C. In such embodiments, the controller 308 and/or the one ormore network nodes 330A-330C may dynamically detect and mitigate similardata packets based on the communication.

The processing analysis engine 320 may include a traffic replicareceiver 322 configured to receive replicas of the temporarily storeddata packets for a deep analysis of the data packets. The data packetreplicas may be utilized by the detection module 324, which may includean event detection module 328 and one or more event handler modules326A-326C. The detection module 328 may be configured for a deepanalysis of sessions, file extractions, intelligence correlation, andmany other similar higher-level data signals analysis performed acrossmultiple packet contexts including network and endpoint information. Forexample, the event detection module 328 may be configured to detectpredetermined protocols and/or malware. In the context of the currentdisclosure, intelligence correlation may refer to identifying attributesassociated with detected IPs, domains, C2s, and behaviors and utilizingsuch identified attributes to detect similar associated threats in otherenvironments. Each detected protocol and/or malware may be referred toas an event, and the event handler modules 326A-326C may be configuredto perform an analysis of an event. In some embodiments, an eventhandler module 326A may obtain information from an agent node 306regarding an associated endpoint. The agent node 406 may providevisibility to a process, user information associated with executing theprocess, network and/or file state on the endpoint, and/or ownership offiles such that the information gained by that visibility may be used bythe event handler module 326A for detection and coordination with thepacket processing engine 310. For example, the event handler module 326Amay query for information, run scans for malware on demand, and/orcollect process images. Each of the event handler modules 326A-326C maybe configured to detect predetermined protocols and/or obtain PPUs basedon mitigation and detection macro-logic. For example, the event handlermodules 326A-326C may obtain and/or generate micro-programs that includean activation rule and micro-compiled code that may be executed if theactivation rule matches. The event handler modules 326A-326C may deploysuch micro-programs to the packet processing engine 310 (e.g., trafficbasic filter component 315, PPU engine component 316, and/or switchingcomponent 318).

In some embodiments, the controller 308 may receive messages from thepacket processing engine 310, the agent node 306, and the processinganalysis engine 320 such that those messages may be processed, organizedand redistributed to other connected components, such as other networknodes 330A-330C, based on predetermined policies. For example, thecontroller 308 may perform a security analysis of the network includingthe network node 300, log the analysis, and/or perform and protocol ormalware analysis based on the received messages. In some embodiments,the received messages may include endpoint process data obtained fromthe agent node 406, network metadata, associated PPUs, etc.

FIG. 4 depicts a network node 400, according to some embodiments. Thenetwork node 400 may include a packet processing engine 410 and aprocessing analysis engine 420, according to some embodiments. Whileonly one deep engine 420 is depicted in FIG. 4 , it is understood thatthe network node 400 may include two or more processing analysis enginesin other embodiments.

The packet processing engine 410 may include one or more shared buffers402, a packet coordinator 404, and a packet processing action engine406, according to some embodiments. As described above with reference toFIG. 3 , the packet processing engine 410 may be deployed inline to anetwork. The packet processing engine 410 may receive ingress datapacket, e.g., IPv4 and/or Ipv6 data packets. In some embodiments, thereceived data packets may be temporarily stored in the one or moreshared buffers 402. In some embodiments, the one or more shared buffers402 may include one or more circular packet buffers. The use of circularpacket buffers maintains optimal performances while continuouslyreceiving ingress data packets. The processing analysis engine 420 mayinclude one or more processes 422A-422N that may request access topackets temporarily stored in the shared buffers 402 to, for example,analyze the incoming packets. It should be understood that the one ormore processes 422A-422N may be located in one or more processinganalysis engines in other embodiments. For example, processes 422A and422B may be located in the processing analysis engine 420, and aseparate process may be located in a separate processing analysisengine. It should be further understood that the separate processinganalysis engine may be located in the network node 400 or a separatenetwork node. That is, one or more processes of a separate processinganalysis engine of the network node 400 and/or a separate network nodemay request access to packets temporarily stored, e.g., packets412A-412N, in the shared buffers 402. In some embodiments, the one ormore processes 422A-422N may include one or more event handler modules326A-326C, event detection modules 328, and/or detection modules 324, asdescribed above with reference to FIG. 3 .

The packet coordinator 404 may coordinate requests from multipleseparate processes, e.g., processes 422A-422N, to access the sametemporarily stored packet without the need to copy the packet for eachprocess. In some embodiments, the packet coordinator 404 may generate asoftware pipe between each of the requesting processes 422A-422N and theshared buffer 402 such that the shared buffer 402 may be accessed asshared memory across multiple processes 422A-422N. That is, the packetcoordinator 404 may establish temporary connections between eachrequesting process 422A-422N and the shared buffer 402 such that therequesting processes 422A-422N may access packets temporarily stored,e.g., packets 412A-412N, in the shared buffer 402. Accordingly, therequesting processes 422A-422N may each access a same temporarily storedpacket simultaneously or in any order. In some embodiments, therequesting processes 422A-422N may access temporarily stored packets inthe shared buffer 402 via respective software pipes and one or moreshared pointers. In such embodiments, the requesting processes 422A-422Nmay use each respective software pipe to access one or more sharedpointers, each of which point to a packet temporarily stored in theshared buffer 402, as will be described in further detail below.

The packet coordinator 404 may generate a shared pointer pointing to atemporarily stored packet for each process, e.g., processes 422A-422N,requesting access to the temporarily stored packet. For example, thepacket coordinator 404 may generate a first shared pointer pointing apacket temporarily stored, e.g., packet 412A, in the shared buffer 402upon receiving a request from a first process, e.g., process 422A, toaccess the temporarily stored packet 412A. The first shared pointer maybe assigned to process 422A, and the assigned first shared pointer maybe transmitted and/or otherwise shared with the process 422A such thatthe process 422A may use the first shared pointer to access thetemporarily stored packet 412A. The packet coordinator 404 may generatea second shared pointer pointing to the same temporarily stored packet412A in the shared buffer 402 upon receiving a request from a secondprocess, e.g., process 422B, to access the same temporarily storedpacket 412A. Similarly, the second shared pointer may be assigned toprocess 422B, and the assigned second shared pointer may be transmittedand/or otherwise shared with the process 422B such that the process 422Bmay use the second shared pointer to access the same temporarily storedpacket 412A. It is understood that more than two shared pointers may begenerated, where each shared pointer may be assigned to a separateprocess and points to the same packet. Similarly, it should also beunderstood that more than one shared pointer may be generated for aspecific process. For example, the specific process may transmit two ormore requests to access two or more temporarily stored packets. In suchinstances, the packet coordinator 404 may generate a shared pointercorresponding to each request, such that the specific process may useeach respective shared pointer to access the corresponding packettemporarily stored in the shared buffer 402.

Accordingly, the one or more processes 422A-422N may be enabled toaccess a same packet temporarily stored in the shared buffer 402 andperform analysis, e.g., security analysis, of the packet withoutcontention. In some embodiments, a process may determine that an actionmust be taken over the temporarily stored packet (hereinafter referredto as “identified packet”) based on the performed analysis. For example,the identified packet may be determined to be part of a security threatto a network. In such embodiments, the process may dynamically transmita request to the packet coordinator 404 to take the appropriate actionon the identified packet. For example, the process may transmit amessage to the packet coordinator 404 to drop the identified packetand/or a session associated with the identified packet such that thereare no concurrent actions taken over the identified packet by otherprocesses. As there is just the identified packet temporarily stored inthe shared buffer 402 and no copies of the identified packet, suchactions may be performed effectively and efficiently, especially ininstances in which many processes (or multiple instances of the sameprocess) request access to each temporarily stored packet.

In some embodiments, the action may be performed by the packetcoordinator 404 and/or the packet processing action engine 406. In someembodiments, the packet processing engine 406 may comprise the PPUengine component 316 as described above with reference to FIG. 3 .Accordingly, packet processing action engine 406 may be configured toperform a dynamic action on the identified packet, a session associatedwith the identified data packet, and/or a data flow associated with theidentified data packet. For example, the packet processing action engine406 may respond to, copy, drop, route, and/or modify the identified datapacket, as described in further detail above with reference to FIG. 3 .It should be understood that any combination of the packet coordinator404 and the packet processing action engine 406 may be configured toperform the functions of the PPU engine component 316 in someembodiments.

In some embodiments, information regarding the performed action may betransmitted to a controller 408, e.g., controllers 108, 208, 308 asdescribed above with reference to FIGS. 1-3 , the processes 422A-422N,and/or other network nodes. The controller 408 may monitor and/oranalyze network traffic associated with the network node 400 based onsuch received information. In some embodiments, one or more of theprocesses 422A-422N, the packet coordinator 404, and/or the packetprocessing action engine 406 may transmit information regarding acurrent status of each respective component and associated data packet412A-412N. The controller 408 may monitor and/or analyze network trafficassociated with the network node 400 based on this information. In someembodiments, the controller 408 may be configured to control (e.g.,perform actions) network traffic associated with the network node 400based on the information received from the aforementioned components.That is, the network traffic directed to, directed from, and/orcurrently stored in the network node 400 may be controlled from a singlepoint, e.g., the controller 408.

FIG. 5 depicts an exemplary method 500 for securing a network comprisingone or more network nodes connecting a plurality of network connecteddevices of the network according to some embodiments. The method 500 maybegin with step 502 in which a plurality of data packets may be receivedat a network node of the network. In step 504, the received data packetsmay be temporarily stored in a shared buffer of the network node. Insome embodiments, the shared buffer may be a shared circular buffer.

In step 506, a first request transmitted by a first processing engine toaccess a first temporarily stored data packet may be received. In step508, a connection may be established with the first processing engine.In step 510, a first pointer to the first temporarily stored data packetmay be generated. In step 512, the first processing engine may beenabled to use the generated first pointer to access the firsttemporarily stored data packet.

In step 514, a second request transmitted by a second processing engineto access the first temporarily stored data packet may be received. Instep 516, a connection with the second processing engine may beestablished. In step 518, a second pointer to the first temporarilystored data packet may be generated, where the second pointer isdifferent from the first pointer while pointing to the same firsttemporarily stored data packet. In step 520, the second processingengine may be enabled to use the generated second pointer to access thefirst temporarily stored data packet.

In some embodiments, process 500 may include a further step in which amessage regarding the first temporarily stored data packet may bereceived from the first processing engine and/or the second processingengine. In such embodiments, the first temporarily stored data packetmay be processed based on the received message, wherein processing thefirst temporarily stored data packet may include dropping the first datapacket from the buffer, routing from the buffer, and/or modifying thedata packet. In some embodiments, the first processing engine, thesecond processing engine, and/or a controller may be notified regardingthe processed first temporarily stored data packet.

In some embodiments, process 500 may include a further step in which athird request transmitted by a third processing engine to access thefirst temporarily stored data packet. In some embodiments, a connectionwith the third processing engine may be established. In someembodiments, a third pointer to the first temporarily stored data packetmay be generated. The third pointer may be different from the first andsecond pointer while pointing to the same first temporarily stored datapacket. In some embodiments, the third processing engine may be enabledto use the generated third pointer to access the first temporarilystored data packet.

In some embodiments, the network node may include the first processingengine. In some embodiments, the network node may include the sharedbuffer and a remote network node may include the second processingengine.

Program aspects of the technology may be thought of as “products” or“articles of manufacture” typically in the form of executable codeand/or associated data that is carried on or embodied in a type ofmachine readable medium. “Storage” type media include any or all of thetangible memory of the computers, processors or the like, or associatedmodules thereof, such as various semiconductor memories, tape drives,disk drives and the like, which may provide non-transitory storage atany time for the software programming. All or portions of the softwaremay at times be communicated through the Internet or various othertelecommunication networks. Such communications, for example, may enableloading of the software from one computer or processor into another, forexample, from a management server or host computer of the mobilecommunication network into the computer platform of a server and/or froma server to the mobile device. Thus, another type of media that may bearthe software elements includes optical, electrical and electromagneticwaves, such as used across physical interfaces between local devices,through wired and optical landline networks and over various air-links.The physical elements that carry such waves, such as wired or wirelesslinks, optical links, or the like, also may be considered as mediabearing the software. As used herein, unless restricted tonon-transitory, tangible “storage” media, terms such as computer ormachine “readable medium” refer to any medium that participates inproviding instructions to a processor for execution.

The many features and advantages of the disclosure are apparent from thedetailed specification, and thus, it is intended by the appended claimsto cover all such features and advantages of the disclosure which fallwithin the true spirit and scope of the disclosure. Further, sincenumerous modifications and variations will readily occur to thoseskilled in the art, it is not desired to limit the disclosure to theexact construction and operation illustrated and described, andaccordingly, all suitable modifications and equivalents may be resortedto, falling within the scope of the disclosure.

1-20. (canceled)
 21. A computer-implemented method comprising:establishing a first connection between a first processing engine and ashared buffer; generating a first pointer to a data packet in the sharedbuffer using the established first connection; establishing a secondconnection between a second processing engine and the shared buffer; andgenerating a second pointer to the data packet using the establishedsecond connection, the second pointer being different from the firstpointer, wherein the first processing engine is able to use thegenerated first pointer to access the data packet while the secondprocessing engine uses the generated second pointer to access the datapacket.
 22. The computer-implemented method of claim 21, wherein theshared buffer is a shared circular buffer.
 23. The computer-implementedmethod of claim 21, further comprising: establishing a third connectionbetween a third processing engine and the shared buffer; and generatinga third pointer to the data packet using the established thirdconnection.
 24. The computer-implemented method of claim 21, furthercomprising: receiving a message regarding the data packet from one ormore of the first processing engine or the second processing engine. 25.The computer-implemented method of claim 24, further comprising:processing the data packet based on the received message, whereinprocessing the data packet includes one or more of dropping the datapacket from the shared buffer, routing the data packet from the sharedbuffer, or modifying the data packet; and notifying one or more of thefirst processing engine, the second processing engine, or a controllerregarding the processed data packet.
 26. The computer-implemented methodof claim 21, wherein the first processing engine is in a network node.27. The computer-implemented method of claim 21, wherein the sharedbuffer is in a first network node, and the second processing engine isin a second network node.
 28. An apparatus comprising: a data storagedevice storing processor-readable instructions; and one or moreprocessors configured to execute the instructions to perform a methodincluding: establishing a first connection between a first processingengine and a shared buffer; generating a first pointer to a data packetin the shared buffer using the established first connection;establishing a second connection between a second processing engine andthe shared buffer; and generating a second pointer to the data packetusing the established second connection, the second pointer beingdifferent from the first pointer, wherein the first processing engine isable to use the generated first pointer to access the data packet whilethe second processing engine uses the generated second pointer to accessthe data packet.
 29. The apparatus of claim 28, wherein the sharedbuffer is a shared circular buffer.
 30. The apparatus of claim 28,wherein the one or more processors are further configured for:establishing a third connection between a third processing engine andthe shared buffer; and generating a third pointer to the data packetusing the established third connection.
 31. The apparatus of claim 28,wherein the one or more processors are further configured for: receivinga message regarding the data packet from one or more of the firstprocessing engine or the second processing engine.
 32. The apparatus ofclaim 31, wherein the one or more processors are further configured for:processing the data packet based on the received message, whereinprocessing the first data packet includes one or more of dropping thedata packet from the shared buffer, routing the data packet from theshared buffer, or modifying the data packet; and notifying one or moreof the first processing engine, the second processing engine, or acontroller regarding the processed data packet.
 33. The apparatus ofclaim 28, wherein the apparatus includes the first processing engine.34. The apparatus of claim 28, wherein the apparatus includes the sharedbuffer, and a remote apparatus includes the second processing engine.35. A non-transitory computer-readable medium containing instructionsthat, when executed by one or more processors, cause the one or moreprocessors to perform a method comprising: establishing a firstconnection between a first processing engine and a shared buffer;generating a first pointer to a data packet in the shared buffer usingthe established first connection; establishing a second connectionbetween a second processing engine and the shared buffer; and generatinga second pointer to the data packet using the established secondconnection, the second pointer being different from the first pointer,wherein the first processing engine is able to use the generated firstpointer to access the data packet while the second processing engineuses the generated second pointer to access the data packet.
 36. Thecomputer-readable medium of claim 35, wherein the shared buffer is ashared circular buffer.
 37. The computer-readable medium of claim 35,the method further comprising: establishing a third connection between athird processing engine and the shared buffer; and generating a thirdpointer to the data packet using the established third connection. 38.The computer-readable medium of claim 35, the method further comprising:receiving a message regarding the data packet from one or more of thefirst processing engine or the second processing engine.
 39. Thecomputer-readable medium of claim 38, the method further comprising:processing the data packet based on the received message, whereinprocessing the first data packet includes one or more of dropping thedata packet from the shared buffer, routing the data packet from theshared buffer, or modifying the data packet; and notifying one or moreof the first processing engine, the second processing engine, or acontroller regarding the processed data packet.
 40. Thecomputer-readable medium of claim 35, wherein the first processingengine is a first network node, and the second processing engine is asecond network node.